ClawHub

Briefed

Security checks across malware telemetry and agentic risk

Overview

Briefed appears to do what it claims, but it needs review because its unauthenticated local web reader can expose stored Gmail newsletter bodies if the port is reachable beyond the user’s machine.

Install only if you are comfortable granting read-only Gmail access and sending newsletter-derived content to the configured model provider. Before running it continuously, bind the reader to 127.0.0.1 or add authentication, do not expose port 3001 to a network, protect the Gmail token file, and unload the LaunchAgent/revoke the OAuth grant when you stop using it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares sensitive capabilities in metadata (`env`, workspace files) and also clearly uses network access, file writes, and local execution, but it lacks an explicit permissions model governing those actions. That mismatch makes review and enforcement weaker, increasing the chance that the skill can access credentials, write persistent state, and contact external services without clear operator consent.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the user to create and load a macOS LaunchAgent in `~/Library/LaunchAgents`, which establishes persistence outside the declared workspace. For a newsletter reader, persistence may be convenient, but directing installation into an OS autostart mechanism expands scope and creates a durable execution foothold beyond the stated file boundaries.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document claims the workflow should only read/write a small set of workspace files, but elsewhere it directs creation of a Gmail token file, installation of the app directory, and a LaunchAgent plist outside that list. This inconsistency undermines trust in the scope statement and can mislead users or enforcement systems about what the skill actually persists or modifies.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises access to Gmail contents, local web serving, notifications, and long-term interest tracking, but does not clearly disclose what data is collected, where it is stored, how long it is retained, whether newsletter content is sent to third-party models, or what network exposure the local app has. In a skill that processes private inbox data, missing privacy and data-handling warnings can lead users to grant sensitive access without informed consent, increasing the risk of unintended data exposure or unsafe deployment.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Opening an email automatically sends a hidden 'open' vote to /api/vote without clear user notice or consent. In this newsletter intelligence context, that silently creates behavioral tracking data and may influence recommendation or profiling logic in ways the user does not expect.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script persists a Gmail OAuth refresh token to disk automatically after login, but gives no user-facing disclosure about where it will be stored or the sensitivity of that file. On shared systems or poorly secured workstations, that can lead to unintended credential exposure and ongoing mailbox read access.

Credential Access

High
Category
Privilege Escalation
Content
<string>/Users/YOUR_USER/.openclaw/workspace/briefed/server.js</string>
  </array>
  <key>EnvironmentVariables</key><dict>
    <key>BRIEFED_GMAIL_CLIENT_SECRET</key><string>/Users/YOUR_USER/client_secret.json</string>
    <key>BRIEFED_GMAIL_TOKEN_FILE</key><string>/Users/YOUR_USER/.openclaw/workspace/briefed-gmail-token.json</string>
  </dict>
  <key>RunAtLoad</key><true/>
Confidence
82% confidence
Finding
secret.json

Session Persistence

Medium
Category
Rogue Agent
Content
# Quick test
node ~/.openclaw/workspace/briefed/server.js

# Persistent — create ~/Library/LaunchAgents/ai.openclaw.briefed.plist
```

LaunchAgent plist template:
Confidence
94% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
# Persistent — create ~/Library/LaunchAgents/ai.openclaw.briefed.plist
```

LaunchAgent plist template:

```xml
<?xml version="1.0" encoding="UTF-8"?>
Confidence
90% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0"><dict>
  <key>Label</key><string>ai.openclaw.briefed</string>
  <key>ProgramArguments</key><array>
Confidence
88% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0"><dict>
  <key>Label</key><string>ai.openclaw.briefed</string>
  <key>ProgramArguments</key><array>
Confidence
88% confidence
Finding
PLIST

Session Persistence

Medium
Category
Rogue Agent
Content
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0"><dict>
  <key>Label</key><string>ai.openclaw.briefed</string>
  <key>ProgramArguments</key><array>
    <string>/usr/local/bin/node</string>
Confidence
90% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
<key>WorkingDirectory</key><string>/Users/YOUR_USER/.openclaw/workspace/briefed</string>
  <key>StandardOutPath</key><string>/tmp/briefed.log</string>
  <key>StandardErrorPath</key><string>/tmp/briefed.log</string>
</dict></plist>
```

```bash
Confidence
87% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
```

```bash
launchctl load ~/Library/LaunchAgents/ai.openclaw.briefed.plist
```

### 7. Create the daily cron job
Confidence
89% confidence
Finding
launchctl load

Session Persistence

Medium
Category
Rogue Agent
Content
```

```bash
launchctl load ~/Library/LaunchAgents/ai.openclaw.briefed.plist
```

### 7. Create the daily cron job
Confidence
89% confidence
Finding
plist

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal